We have a pair of ASAs that host a few web servers that are accessible via NAT addresses from the internet. A very strange issue occured after performing a zero-downtime upgrade on the pair of ASA 5540s in active standby. We were running 8.4(1) code and failed over to standby unit that was running 9.0(4).
For internal monitoring we have a hairpin (aka u-turn) route on the inside interface of the ASA that points to a MPLS router to get back to our internal network(for oob management/monitoring). The weird issue is that upon failing over, all TCP and UDP connections coming from our internal network work (across the hairpin route). The only thing that does not work from internal network is ICMP.
Our monitoring tools triggered saying ping was down, but SNMP, ssh, https were up. What gives?
I started to t/s this to see if the ICMP packets were reaching the ASA. Per logs, ICMP sessions were created and tore down. I also did a packet capture on ASA, and saw packets being received, and coming back. The one caveat I saw in packet capture is that for every 2 requests I saw only 1 reply.
I finished upgrading the ASA to 9.1(7) hoping it was a bug with the interim upgrade. The problem still persisted. ICMP requests and replies don't complete.
ICMP is not inspected in default policy. The same-security intra command is applied (TCP and UDP sessions are working correctly). Am I possibly missing something with how ASAs handle hairpin routes/NATs between the upgrades? This issue is a head-scratcher.
No comments:
Post a Comment